package syd

import syd "git.sr.ht/~alip/syd/lib/src"

Syd: rock-solid application kernel

lib/src/syd.go: Go bindings of libsyd, the syd API C Library

Copyright (c) 2023, 2024, 2025 Ali Polatel <alip@chesswob.org>

SPDX-License-Identifier: LGPL-3.0

Package syd provides Go bindings for the libsyd C library.

Note: Build with CGO_LDFLAGS=-static to link libsyd statically.

Index

Functions

func Api

func Api() (int, error)

Api performs a syd API check. This function should be called before making any other syd API calls. It's used to ensure that the syd environment is correctly set up and ready to handle further API requests.

Returns the API number on success. If the call fails, it returns an error corresponding to the negated errno. The successful return value is an integer representing the API number, and the error, if any, is of type syscall.Errno.

func ChattrAdd

func ChattrAdd(action Action, glob string) error

ChattrAdd adds the specified glob pattern to the given actionlist of Chattr sandboxing.

Returns nil on success, and an error corresponding to the negated errno on failure. The error is of type syscall.Errno.

func ChattrDel

func ChattrDel(action Action, glob string) error

ChattrDel removes the first instance from the end of the given actionlist of chattr sandboxing.

Returns nil on success, and an error corresponding to the negated errno on failure. The error is of type syscall.Errno.

func ChattrRem

func ChattrRem(action Action, glob string) error

ChattrRem removes all matching patterns from the given actionlist of Chattr sandboxing.

Returns nil on success, and an error corresponding to the negated errno on failure. The error is of type syscall.Errno.

func ChdirAdd

func ChdirAdd(action Action, glob string) error

ChdirAdd adds the specified glob pattern to the given actionlist of Chdir sandboxing.

Returns nil on success, and an error corresponding to the negated errno on failure. The error is of type syscall.Errno.

func ChdirDel

func ChdirDel(action Action, glob string) error

ChdirDel removes the first instance from the end of the given actionlist of chdir sandboxing.

Returns nil on success, and an error corresponding to the negated errno on failure. The error is of type syscall.Errno.

func ChdirRem

func ChdirRem(action Action, glob string) error

ChdirRem removes all matching patterns from the given actionlist of Chdir sandboxing.

Returns nil on success, and an error corresponding to the negated errno on failure. The error is of type syscall.Errno.

func Check

func Check() error

Check performs an lstat system call on the file "/dev/syd".

Returns nil on success, and an error corresponding to the negated errno on failure. The error is of type syscall.Errno.

func ChgrpAdd

func ChgrpAdd(action Action, glob string) error

ChgrpAdd adds the specified glob pattern to the given actionlist of Chgrp sandboxing.

Returns nil on success, and an error corresponding to the negated errno on failure. The error is of type syscall.Errno.

func ChgrpDel

func ChgrpDel(action Action, glob string) error

ChgrpDel removes the first instance from the end of the given actionlist of chgrp sandboxing.

Returns nil on success, and an error corresponding to the negated errno on failure. The error is of type syscall.Errno.

func ChgrpRem

func ChgrpRem(action Action, glob string) error

ChgrpRem removes all matching patterns from the given actionlist of Chgrp sandboxing.

Returns nil on success, and an error corresponding to the negated errno on failure. The error is of type syscall.Errno.

func ChmodAdd

func ChmodAdd(action Action, glob string) error

ChmodAdd adds the specified glob pattern to the given actionlist of Chmod sandboxing.

Returns nil on success, and an error corresponding to the negated errno on failure. The error is of type syscall.Errno.

func ChmodDel

func ChmodDel(action Action, glob string) error

ChmodDel removes the first instance from the end of the given actionlist of chmod sandboxing.

Returns nil on success, and an error corresponding to the negated errno on failure. The error is of type syscall.Errno.

func ChmodRem

func ChmodRem(action Action, glob string) error

ChmodRem removes all matching patterns from the given actionlist of Chmod sandboxing.

Returns nil on success, and an error corresponding to the negated errno on failure. The error is of type syscall.Errno.

func ChownAdd

func ChownAdd(action Action, glob string) error

ChownAdd adds the specified glob pattern to the given actionlist of Chown sandboxing.

Returns nil on success, and an error corresponding to the negated errno on failure. The error is of type syscall.Errno.

func ChownDel

func ChownDel(action Action, glob string) error

ChownDel removes the first instance from the end of the given actionlist of chown sandboxing.

Returns nil on success, and an error corresponding to the negated errno on failure. The error is of type syscall.Errno.

func ChownRem

func ChownRem(action Action, glob string) error

ChownRem removes all matching patterns from the given actionlist of Chown sandboxing.

Returns nil on success, and an error corresponding to the negated errno on failure. The error is of type syscall.Errno.

func ChrootAdd

func ChrootAdd(action Action, glob string) error

ChrootAdd adds the specified glob pattern to the given actionlist of Chroot sandboxing.

Returns nil on success, and an error corresponding to the negated errno on failure. The error is of type syscall.Errno.

func ChrootDel

func ChrootDel(action Action, glob string) error

ChrootDel removes the first instance from the end of the given actionlist of chroot sandboxing.

Returns nil on success, and an error corresponding to the negated errno on failure. The error is of type syscall.Errno.

func ChrootRem

func ChrootRem(action Action, glob string) error

ChrootRem removes all matching patterns from the given actionlist of Chroot sandboxing.

Returns nil on success, and an error corresponding to the negated errno on failure. The error is of type syscall.Errno.

func CreateAdd

func CreateAdd(action Action, glob string) error

CreateAdd adds the specified glob pattern to the given actionlist of Create sandboxing.

Returns nil on success, and an error corresponding to the negated errno on failure. The error is of type syscall.Errno.

func CreateDel

func CreateDel(action Action, glob string) error

CreateDel removes the first instance from the end of the given actionlist of create sandboxing.

Returns nil on success, and an error corresponding to the negated errno on failure. The error is of type syscall.Errno.

func CreateRem

func CreateRem(action Action, glob string) error

CreateRem removes all matching patterns from the given actionlist of Create sandboxing.

Returns nil on success, and an error corresponding to the negated errno on failure. The error is of type syscall.Errno.

func DefaultBlock

func DefaultBlock(action Action) error

Set default action for IP blocklist violations.

Returns nil on success, and an error corresponding to the negated errno on failure. The error is of type syscall.Errno.

func DefaultChattr

func DefaultChattr(action Action) error

Set default action for Chattr sandboxing.

Returns nil on success, and an error corresponding to the negated errno on failure. The error is of type syscall.Errno.

func DefaultChdir

func DefaultChdir(action Action) error

Set default action for Chdir sandboxing.

Returns nil on success, and an error corresponding to the negated errno on failure. The error is of type syscall.Errno.

func DefaultChgrp

func DefaultChgrp(action Action) error

Set default action for Chgrp sandboxing.

Returns nil on success, and an error corresponding to the negated errno on failure. The error is of type syscall.Errno.

func DefaultChmod

func DefaultChmod(action Action) error

Set default action for Chmod sandboxing.

Returns nil on success, and an error corresponding to the negated errno on failure. The error is of type syscall.Errno.

func DefaultChown

func DefaultChown(action Action) error

Set default action for Chown sandboxing.

Returns nil on success, and an error corresponding to the negated errno on failure. The error is of type syscall.Errno.

func DefaultChroot

func DefaultChroot(action Action) error

Set default action for Chroot sandboxing.

Returns nil on success, and an error corresponding to the negated errno on failure. The error is of type syscall.Errno.

func DefaultCreate

func DefaultCreate(action Action) error

Set default action for Create sandboxing.

Returns nil on success, and an error corresponding to the negated errno on failure. The error is of type syscall.Errno.

func DefaultDelete

func DefaultDelete(action Action) error

Set default action for Delete sandboxing.

Returns nil on success, and an error corresponding to the negated errno on failure. The error is of type syscall.Errno.

func DefaultExec

func DefaultExec(action Action) error

Set default action for Exec sandboxing.

Returns nil on success, and an error corresponding to the negated errno on failure. The error is of type syscall.Errno.

func DefaultForce

func DefaultForce(action Action) error

Set default action for Force sandboxing.

Returns nil on success, and an error corresponding to the negated errno on failure. The error is of type syscall.Errno.

func DefaultIoctl

func DefaultIoctl(action Action) error

Set default action for Ioctl sandboxing.

Returns nil on success, and an error corresponding to the negated errno on failure. The error is of type syscall.Errno.

func DefaultMem

func DefaultMem(action Action) error

Set default action for Memory sandboxing.

Returns nil on success, and an error corresponding to the negated errno on failure. The error is of type syscall.Errno.

func DefaultMkdev

func DefaultMkdev(action Action) error

Set default action for Mkdev sandboxing.

Returns nil on success, and an error corresponding to the negated errno on failure. The error is of type syscall.Errno.

func DefaultMkdir

func DefaultMkdir(action Action) error

Set default action for Mkdir sandboxing.

Returns nil on success, and an error corresponding to the negated errno on failure. The error is of type syscall.Errno.

func DefaultMkfifo

func DefaultMkfifo(action Action) error

Set default action for Mkfifo sandboxing.

Returns nil on success, and an error corresponding to the negated errno on failure. The error is of type syscall.Errno.

func DefaultMktemp

func DefaultMktemp(action Action) error

Set default action for Mktemp sandboxing.

Returns nil on success, and an error corresponding to the negated errno on failure. The error is of type syscall.Errno.

func DefaultNet

func DefaultNet(action Action) error

Set default action for Network sandboxing.

Returns nil on success, and an error corresponding to the negated errno on failure. The error is of type syscall.Errno.

func DefaultPid

func DefaultPid(action Action) error

Set default action for PID sandboxing.

Returns nil on success, and an error corresponding to the negated errno on failure. The error is of type syscall.Errno.

func DefaultRead

func DefaultRead(action Action) error

Set default action for Read sandboxing.

Returns nil on success, and an error corresponding to the negated errno on failure. The error is of type syscall.Errno.

func DefaultReaddir

func DefaultReaddir(action Action) error

Set default action for Readdir sandboxing.

Returns nil on success, and an error corresponding to the negated errno on failure. The error is of type syscall.Errno.

func DefaultRename

func DefaultRename(action Action) error

Set default action for Rename sandboxing.

Returns nil on success, and an error corresponding to the negated errno on failure. The error is of type syscall.Errno.

func DefaultSegvGuard

func DefaultSegvGuard(action Action) error

Set default action for SegvGuard.

Returns nil on success, and an error corresponding to the negated errno on failure. The error is of type syscall.Errno.

func DefaultStat

func DefaultStat(action Action) error

Set default action for Stat sandboxing.

Returns nil on success, and an error corresponding to the negated errno on failure. The error is of type syscall.Errno. 

func DefaultSymlink(action Action) error

Set default action for Symlink sandboxing.

Returns nil on success, and an error corresponding to the negated errno on failure. The error is of type syscall.Errno.

func DefaultTPE

func DefaultTPE(action Action) error

Set default action for TPE sandboxing.

Returns nil on success, and an error corresponding to the negated errno on failure. The error is of type syscall.Errno.

func DefaultTruncate

func DefaultTruncate(action Action) error

Set default action for Truncate sandboxing.

Returns nil on success, and an error corresponding to the negated errno on failure. The error is of type syscall.Errno.

func DefaultUtime

func DefaultUtime(action Action) error

Set default action for Utime sandboxing.

Returns nil on success, and an error corresponding to the negated errno on failure. The error is of type syscall.Errno.

func DefaultWrite

func DefaultWrite(action Action) error

Set default action for Write sandboxing.

Returns nil on success, and an error corresponding to the negated errno on failure. The error is of type syscall.Errno.

func DeleteAdd

func DeleteAdd(action Action, glob string) error

DeleteAdd adds the specified glob pattern to the given actionlist of Delete sandboxing.

Returns nil on success, and an error corresponding to the negated errno on failure. The error is of type syscall.Errno.

func DeleteDel

func DeleteDel(action Action, glob string) error

DeleteDel removes the first instance from the end of the given actionlist of delete sandboxing.

Returns nil on success, and an error corresponding to the negated errno on failure. The error is of type syscall.Errno.

func DeleteRem

func DeleteRem(action Action, glob string) error

DeleteRem removes all matching patterns from the given actionlist of Delete sandboxing.

Returns nil on success, and an error corresponding to the negated errno on failure. The error is of type syscall.Errno.

func DisableChattr

func DisableChattr() error

DisableChattr disables chattr sandboxing.

Returns nil on success, and an error corresponding to the negated errno on failure. The error is of type syscall.Errno.

func DisableChdir

func DisableChdir() error

DisableChdir disables chdir sandboxing.

Returns nil on success, and an error corresponding to the negated errno on failure. The error is of type syscall.Errno.

func DisableChgrp

func DisableChgrp() error

DisableChgrp disables chgrp sandboxing.

Returns nil on success, and an error corresponding to the negated errno on failure. The error is of type syscall.Errno.

func DisableChmod

func DisableChmod() error

DisableChmod disables chmod sandboxing.

Returns nil on success, and an error corresponding to the negated errno on failure. The error is of type syscall.Errno.

func DisableChown

func DisableChown() error

DisableChown disables chown sandboxing.

Returns nil on success, and an error corresponding to the negated errno on failure. The error is of type syscall.Errno.

func DisableChroot

func DisableChroot() error

DisableChroot disables chroot sandboxing.

Returns nil on success, and an error corresponding to the negated errno on failure. The error is of type syscall.Errno.

func DisableCreate

func DisableCreate() error

DisableCreate disables create sandboxing.

Returns nil on success, and an error corresponding to the negated errno on failure. The error is of type syscall.Errno.

func DisableDelete

func DisableDelete() error

DisableDelete disables delete sandboxing.

Returns nil on success, and an error corresponding to the negated errno on failure. The error is of type syscall.Errno.

func DisableExec

func DisableExec() error

DisableExec disables exec sandboxing.

Returns nil on success, and an error corresponding to the negated errno on failure. The error is of type syscall.Errno.

func DisableForce

func DisableForce() error

DisableForce disables force sandboxing.

Returns nil on success, and an error corresponding to the negated errno on failure. The error is of type syscall.Errno.

func DisableIoctl

func DisableIoctl() error

DisableIoctl disables ioctl sandboxing.

Returns nil on success, and an error corresponding to the negated errno on failure. The error is of type syscall.Errno.

func DisableMem

func DisableMem() error

DisableMem disables memory sandboxing.

Returns nil on success, and an error corresponding to the negated errno on failure. The error is of type syscall.Errno.

func DisableMkdev

func DisableMkdev() error

DisableMkdev disables mkdev sandboxing.

Returns nil on success, and an error corresponding to the negated errno on failure. The error is of type syscall.Errno.

func DisableMkdir

func DisableMkdir() error

DisableMkdir disables mkdir sandboxing.

Returns nil on success, and an error corresponding to the negated errno on failure. The error is of type syscall.Errno.

func DisableMkfifo

func DisableMkfifo() error

DisableMkfifo disables mkfifo sandboxing.

Returns nil on success, and an error corresponding to the negated errno on failure. The error is of type syscall.Errno.

func DisableMktemp

func DisableMktemp() error

DisableMktemp disables mktemp sandboxing.

Returns nil on success, and an error corresponding to the negated errno on failure. The error is of type syscall.Errno.

func DisableNet

func DisableNet() error

DisableNet disables network sandboxing.

Returns nil on success, and an error corresponding to the negated errno on failure. The error is of type syscall.Errno.

func DisablePid

func DisablePid() error

DisablePid disables PID sandboxing.

Returns nil on success, and an error corresponding to the negated errno on failure. The error is of type syscall.Errno.

func DisableRead

func DisableRead() error

DisableRead disables read sandboxing.

Returns nil on success, and an error corresponding to the negated errno on failure. The error is of type syscall.Errno.

func DisableReaddir

func DisableReaddir() error

DisableReaddir disables readdir sandboxing.

Returns nil on success, and an error corresponding to the negated errno on failure. The error is of type syscall.Errno.

func DisableRename

func DisableRename() error

DisableRename disables rename sandboxing.

Returns nil on success, and an error corresponding to the negated errno on failure. The error is of type syscall.Errno.

func DisableStat

func DisableStat() error

DisableStat disables stat sandboxing.

Returns nil on success, and an error corresponding to the negated errno on failure. The error is of type syscall.Errno. 

func DisableSymlink() error

DisableSymlink disables symlink sandboxing.

Returns nil on success, and an error corresponding to the negated errno on failure. The error is of type syscall.Errno.

func DisableTPE

func DisableTPE() error

DisableTPE disables TPE sandboxing.

Returns nil on success, and an error corresponding to the negated errno on failure. The error is of type syscall.Errno.

func DisableTruncate

func DisableTruncate() error

DisableTruncate disables truncate sandboxing.

Returns nil on success, and an error corresponding to the negated errno on failure. The error is of type syscall.Errno.

func DisableUtime

func DisableUtime() error

DisableUtime disables utime sandboxing.

Returns nil on success, and an error corresponding to the negated errno on failure. The error is of type syscall.Errno.

func DisableWrite

func DisableWrite() error

DisableWrite disables write sandboxing.

Returns nil on success, and an error corresponding to the negated errno on failure. The error is of type syscall.Errno.

func EnableChattr

func EnableChattr() error

EnableChattr enables chattr sandboxing.

Returns nil on success, and an error corresponding to the negated errno on failure. The error is of type syscall.Errno.

func EnableChdir

func EnableChdir() error

EnableChdir enables chdir sandboxing.

Returns nil on success, and an error corresponding to the negated errno on failure. The error is of type syscall.Errno.

func EnableChgrp

func EnableChgrp() error

EnableChgrp enables chgrp sandboxing.

Returns nil on success, and an error corresponding to the negated errno on failure. The error is of type syscall.Errno.

func EnableChmod

func EnableChmod() error

EnableChmod enables chmod sandboxing.

Returns nil on success, and an error corresponding to the negated errno on failure. The error is of type syscall.Errno.

func EnableChown

func EnableChown() error

EnableChown enables chown sandboxing.

Returns nil on success, and an error corresponding to the negated errno on failure. The error is of type syscall.Errno.

func EnableChroot

func EnableChroot() error

EnableChroot enables chroot sandboxing.

Returns nil on success, and an error corresponding to the negated errno on failure. The error is of type syscall.Errno.

func EnableCreate

func EnableCreate() error

EnableCreate enables create sandboxing.

Returns nil on success, and an error corresponding to the negated errno on failure. The error is of type syscall.Errno.

func EnableDelete

func EnableDelete() error

EnableDelete enables delete sandboxing.

Returns nil on success, and an error corresponding to the negated errno on failure. The error is of type syscall.Errno.

func EnableExec

func EnableExec() error

EnableExec enables exec sandboxing.

Returns nil on success, and an error corresponding to the negated errno on failure. The error is of type syscall.Errno.

func EnableForce

func EnableForce() error

EnableForce enables force sandboxing.

Returns nil on success, and an error corresponding to the negated errno on failure. The error is of type syscall.Errno.

func EnableIoctl

func EnableIoctl() error

EnableIoctl enables ioctl sandboxing.

Returns nil on success, and an error corresponding to the negated errno on failure. The error is of type syscall.Errno.

func EnableMem

func EnableMem() error

EnableMem enables memory sandboxing.

Returns nil on success, and an error corresponding to the negated errno on failure. The error is of type syscall.Errno.

func EnableMkdev

func EnableMkdev() error

EnableMkdev enables mkdev sandboxing.

Returns nil on success, and an error corresponding to the negated errno on failure. The error is of type syscall.Errno.

func EnableMkdir

func EnableMkdir() error

EnableMkdir enables mkdir sandboxing.

Returns nil on success, and an error corresponding to the negated errno on failure. The error is of type syscall.Errno.

func EnableMkfifo

func EnableMkfifo() error

EnableMkfifo enables mkfifo sandboxing.

Returns nil on success, and an error corresponding to the negated errno on failure. The error is of type syscall.Errno.

func EnableMktemp

func EnableMktemp() error

EnableMktemp enables mktemp sandboxing.

Returns nil on success, and an error corresponding to the negated errno on failure. The error is of type syscall.Errno.

func EnableNet

func EnableNet() error

EnableNet enables network sandboxing.

Returns nil on success, and an error corresponding to the negated errno on failure. The error is of type syscall.Errno.

func EnablePid

func EnablePid() error

EnablePid enables PID sandboxing.

Returns nil on success, and an error corresponding to the negated errno on failure. The error is of type syscall.Errno.

func EnableRead

func EnableRead() error

EnableRead enables read sandboxing.

Returns nil on success, and an error corresponding to the negated errno on failure. The error is of type syscall.Errno.

func EnableReaddir

func EnableReaddir() error

EnableReaddir enables readdir sandboxing.

Returns nil on success, and an error corresponding to the negated errno on failure. The error is of type syscall.Errno.

func EnableRename

func EnableRename() error

EnableRename enables rename sandboxing.

Returns nil on success, and an error corresponding to the negated errno on failure. The error is of type syscall.Errno.

func EnableStat

func EnableStat() error

EnableStat enables stat sandboxing.

Returns nil on success, and an error corresponding to the negated errno on failure. The error is of type syscall.Errno. 

func EnableSymlink() error

EnableSymlink enables symlink sandboxing.

Returns nil on success, and an error corresponding to the negated errno on failure. The error is of type syscall.Errno.

func EnableTPE

func EnableTPE() error

EnableTPE enables TPE sandboxing.

Returns nil on success, and an error corresponding to the negated errno on failure. The error is of type syscall.Errno.

func EnableTruncate

func EnableTruncate() error

EnableTruncate enables truncate sandboxing.

Returns nil on success, and an error corresponding to the negated errno on failure. The error is of type syscall.Errno.

func EnableUtime

func EnableUtime() error

EnableUtime enables utime sandboxing.

Returns nil on success, and an error corresponding to the negated errno on failure. The error is of type syscall.Errno.

func EnableWrite

func EnableWrite() error

EnableWrite enables write sandboxing.

Returns nil on success, and an error corresponding to the negated errno on failure. The error is of type syscall.Errno.

func EnabledChattr

func EnabledChattr() bool

EnabledChattr checks if chattr sandboxing is enabled in the syd environment.

It returns true if chattr sandboxing is enabled, and false otherwise.

func EnabledChdir

func EnabledChdir() bool

EnabledChdir checks if chdir sandboxing is enabled in the syd environment.

It returns true if chdir sandboxing is enabled, and false otherwise.

func EnabledChgrp

func EnabledChgrp() bool

EnabledChgrp checks if chgrp sandboxing is enabled in the syd environment.

It returns true if chgrp sandboxing is enabled, and false otherwise.

func EnabledChmod

func EnabledChmod() bool

EnabledChmod checks if chmod sandboxing is enabled in the syd environment.

It returns true if chmod sandboxing is enabled, and false otherwise.

func EnabledChown

func EnabledChown() bool

EnabledChown checks if chown sandboxing is enabled in the syd environment.

It returns true if chown sandboxing is enabled, and false otherwise.

func EnabledChroot

func EnabledChroot() bool

EnabledChroot checks if chroot sandboxing is enabled in the syd environment.

It returns true if chroot sandboxing is enabled, and false otherwise.

func EnabledCreate

func EnabledCreate() bool

EnabledCreate checks if create sandboxing is enabled in the syd environment.

It returns true if create sandboxing is enabled, and false otherwise.

func EnabledCrypt

func EnabledCrypt() bool

EnabledCrypt checks if crypt sandboxing is enabled in the syd environment.

It returns true if crypt sandboxing is enabled, and false otherwise.

func EnabledDelete

func EnabledDelete() bool

EnabledDelete checks if delete sandboxing is enabled in the syd environment.

It returns true if delete sandboxing is enabled, and false otherwise.

func EnabledExec

func EnabledExec() bool

EnabledExec checks if exec sandboxing is enabled in the syd environment.

It returns true if exec sandboxing is enabled, and false otherwise.

func EnabledForce

func EnabledForce() bool

EnabledForce checks if force sandboxing is enabled in the syd environment.

It returns true if force sandboxing is enabled, and false otherwise.

func EnabledIoctl

func EnabledIoctl() bool

EnabledIoctl checks if ioctl sandboxing is enabled in the syd environment.

It returns true if ioctl sandboxing is enabled, and false otherwise.

func EnabledLock

func EnabledLock() bool

EnabledLock checks if lock andboxing is enabled in the syd environment.

It returns true if lock sandboxing is enabled, and false otherwise.

func EnabledMem

func EnabledMem() bool

EnabledMem checks if memory sandboxing is enabled in the syd environment.

It returns true if memory sandboxing is enabled, and false otherwise.

func EnabledMkdev

func EnabledMkdev() bool

EnabledMkdev checks if mkdev sandboxing is enabled in the syd environment.

It returns true if mkdev sandboxing is enabled, and false otherwise.

func EnabledMkdir

func EnabledMkdir() bool

EnabledMkdir checks if mkdir sandboxing is enabled in the syd environment.

It returns true if mkdir sandboxing is enabled, and false otherwise.

func EnabledMkfifo

func EnabledMkfifo() bool

EnabledMkfifo checks if mkfifo sandboxing is enabled in the syd environment.

It returns true if mkfifo sandboxing is enabled, and false otherwise.

func EnabledMktemp

func EnabledMktemp() bool

EnabledMktemp checks if mktemp sandboxing is enabled in the syd environment.

It returns true if mktemp sandboxing is enabled, and false otherwise.

func EnabledNet

func EnabledNet() bool

EnabledNet checks if network sandboxing is enabled in the syd environment.

It returns true if network sandboxing is enabled, and false otherwise.

func EnabledPid

func EnabledPid() bool

EnabledPid checks if PID sandboxing is enabled in the syd environment.

It returns true if PID sandboxing is enabled, and false otherwise.

func EnabledProxy

func EnabledProxy() bool

EnabledProxy checks if proxy andboxing is enabled in the syd environment.

It returns true if proxy sandboxing is enabled, and false otherwise.

func EnabledRead

func EnabledRead() bool

EnabledRead checks if read sandboxing is enabled in the syd environment.

It returns true if read sandboxing is enabled, and false otherwise.

func EnabledReaddir

func EnabledReaddir() bool

EnabledReaddir checks if readdir sandboxing is enabled in the syd environment.

It returns true if readdir sandboxing is enabled, and false otherwise.

func EnabledRename

func EnabledRename() bool

EnabledRename checks if rename sandboxing is enabled in the syd environment.

It returns true if rename sandboxing is enabled, and false otherwise.

func EnabledStat

func EnabledStat() bool

EnabledStat checks if stat sandboxing is enabled in the syd environment.

It returns true if stat sandboxing is enabled, and false otherwise. 

func EnabledSymlink() bool

EnabledSymlink checks if symlink sandboxing is enabled in the syd environment.

It returns true if symlink sandboxing is enabled, and false otherwise.

func EnabledTPE

func EnabledTPE() bool

EnabledTPE checks if TPE sandboxing is enabled in the syd environment.

It returns true if TPE sandboxing is enabled, and false otherwise.

func EnabledTruncate

func EnabledTruncate() bool

EnabledTruncate checks if truncate sandboxing is enabled in the syd environment.

It returns true if truncate sandboxing is enabled, and false otherwise.

func EnabledUtime

func EnabledUtime() bool

EnabledUtime checks if utime sandboxing is enabled in the syd environment.

It returns true if utime sandboxing is enabled, and false otherwise.

func EnabledWrite

func EnabledWrite() bool

EnabledWrite checks if write sandboxing is enabled in the syd environment.

It returns true if write sandboxing is enabled, and false otherwise.

func Exec

func Exec(file string, argv []string) error

Exec executes a command outside the sandbox without applying sandboxing. This function is used to run a command in a non-sandboxed environment.

The function accepts a string for the file to execute and a slice of strings representing the arguments to the command.

Returns nil on success. If the call fails, it returns an error corresponding to the negated errno. The error is of type syscall.Errno.

func ExecAdd

func ExecAdd(action Action, glob string) error

ExecAdd adds the specified glob pattern to the given actionlist of Exec sandboxing.

Returns nil on success, and an error corresponding to the negated errno on failure. The error is of type syscall.Errno.

func ExecDel

func ExecDel(action Action, glob string) error

ExecDel removes the first instance from the end of the given actionlist of read sandboxing.

Returns nil on success, and an error corresponding to the negated errno on failure. The error is of type syscall.Errno.

func ExecRem

func ExecRem(action Action, glob string) error

ExecRem removes all matching patterns from the given actionlist of Exec sandboxing.

Returns nil on success, and an error corresponding to the negated errno on failure. The error is of type syscall.Errno.

func ForceAdd

func ForceAdd(path string, hash string, action Action) error

Adds an entry to the Integrity Force map for Force Sandboxing.

Returns nil on success, and an error corresponding to the negated errno on failure. The error is of type syscall.Errno.

func ForceClr

func ForceClr() error

Clears the Integrity Force map for Force Sandboxing.

Returns nil on success, and an error corresponding to the negated errno on failure. The error is of type syscall.Errno.

func ForceDel

func ForceDel(path string) error

Removes an entry from the Integrity Force map for Force Sandboxing.

Returns nil on success, and an error corresponding to the negated errno on failure. The error is of type syscall.Errno.

func IoctlAdd

func IoctlAdd(action Action, glob string) error

IoctlAdd adds the specified glob pattern to the given actionlist of Ioctl sandboxing.

Returns nil on success, and an error corresponding to the negated errno on failure. The error is of type syscall.Errno.

func IoctlDel

func IoctlDel(action Action, glob string) error

IoctlDel removes the first instance from the end of the given actionlist of read sandboxing.

Returns nil on success, and an error corresponding to the negated errno on failure. The error is of type syscall.Errno.

func IoctlDeny

func IoctlDeny(request uint64) error

Adds a request to the _ioctl_(2) denylist.

Returns nil on success, and an error corresponding to the negated errno on failure. The error is of type syscall.Errno.

func IoctlRem

func IoctlRem(action Action, glob string) error

IoctlRem removes all matching patterns from the given actionlist of Ioctl sandboxing.

Returns nil on success, and an error corresponding to the negated errno on failure. The error is of type syscall.Errno.

func Load

func Load(fd int) error

Load instructs syd to read its configuration from the specified file descriptor. This function is used to load syd configurations dynamically at runtime from a file represented by the given file descriptor.

The function accepts a file descriptor (fd) as an argument. This file descriptor should be valid and point to a file containing the desired configuration.

Returns nil on success. If the call fails, it returns an error corresponding to the negated errno. The error is of type syscall.Errno.

func Lock

func Lock(state LockState) error

Lock sets the state of the sandbox lock. Returns nil on success and a syscall.Errno on failure.

func MemMax

func MemMax(size string) error

MemMax sets the syd maximum per-process memory usage limit for memory sandboxing.

The size parameter is a string that can represent the size in different formats, as the parse-size crate is used to parse the value.

Returns nil on success, and an error corresponding to the negated errno on failure. The error is of type syscall.Errno.

func MemVmMax

func MemVmMax(size string) error

MemVmMax sets the syd maximum per-process virtual memory usage limit for memory sandboxing.

The size parameter is a string that can represent the size in different formats, as the parse-size crate is used to parse the value.

Returns nil on success, and an error corresponding to the negated errno on failure. The error is of type syscall.Errno.

func MkdevAdd

func MkdevAdd(action Action, glob string) error

MkdevAdd adds the specified glob pattern to the given actionlist of Mkdev sandboxing.

Returns nil on success, and an error corresponding to the negated errno on failure. The error is of type syscall.Errno.

func MkdevDel

func MkdevDel(action Action, glob string) error

MkdevDel removes the first instance from the end of the given actionlist of mkdev sandboxing.

Returns nil on success, and an error corresponding to the negated errno on failure. The error is of type syscall.Errno.

func MkdevRem

func MkdevRem(action Action, glob string) error

MkdevRem removes all matching patterns from the given actionlist of Mkdev sandboxing.

Returns nil on success, and an error corresponding to the negated errno on failure. The error is of type syscall.Errno.

func MkdirAdd

func MkdirAdd(action Action, glob string) error

MkdirAdd adds the specified glob pattern to the given actionlist of Mkdir sandboxing.

Returns nil on success, and an error corresponding to the negated errno on failure. The error is of type syscall.Errno.

func MkdirDel

func MkdirDel(action Action, glob string) error

MkdirDel removes the first instance from the end of the given actionlist of mkdir sandboxing.

Returns nil on success, and an error corresponding to the negated errno on failure. The error is of type syscall.Errno.

func MkdirRem

func MkdirRem(action Action, glob string) error

MkdirRem removes all matching patterns from the given actionlist of Mkdir sandboxing.

Returns nil on success, and an error corresponding to the negated errno on failure. The error is of type syscall.Errno.

func MkfifoAdd

func MkfifoAdd(action Action, glob string) error

MkfifoAdd adds the specified glob pattern to the given actionlist of Mkfifo sandboxing.

Returns nil on success, and an error corresponding to the negated errno on failure. The error is of type syscall.Errno.

func MkfifoDel

func MkfifoDel(action Action, glob string) error

MkfifoDel removes the first instance from the end of the given actionlist of mkfifo sandboxing.

Returns nil on success, and an error corresponding to the negated errno on failure. The error is of type syscall.Errno.

func MkfifoRem

func MkfifoRem(action Action, glob string) error

MkfifoRem removes all matching patterns from the given actionlist of Mkfifo sandboxing.

Returns nil on success, and an error corresponding to the negated errno on failure. The error is of type syscall.Errno.

func MktempAdd

func MktempAdd(action Action, glob string) error

MktempAdd adds the specified glob pattern to the given actionlist of Mktemp sandboxing.

Returns nil on success, and an error corresponding to the negated errno on failure. The error is of type syscall.Errno.

func MktempDel

func MktempDel(action Action, glob string) error

MktempDel removes the first instance from the end of the given actionlist of mktemp sandboxing.

Returns nil on success, and an error corresponding to the negated errno on failure. The error is of type syscall.Errno.

func MktempRem

func MktempRem(action Action, glob string) error

MktempRem removes all matching patterns from the given actionlist of Mktemp sandboxing.

Returns nil on success, and an error corresponding to the negated errno on failure. The error is of type syscall.Errno.

func NetBindAdd

func NetBindAdd(action Action, addr string) error

NetBindAdd adds the specified address pattern to the given actionlist of Net/bind sandboxing.

Returns nil on success, and an error corresponding to the negated errno on failure. The error is of type syscall.Errno.

func NetBindDel

func NetBindDel(action Action, addr string) error

NetBindDel removes the first instance from the end of the given actionlist of read sandboxing.

Returns nil on success, and an error corresponding to the negated errno on failure. The error is of type syscall.Errno.

func NetBindRem

func NetBindRem(action Action, addr string) error

NetBindRem removes all matching patterns from the given actionlist of Net/bind sandboxing.

Returns nil on success, and an error corresponding to the negated errno on failure. The error is of type syscall.Errno.

func NetConnectAdd

func NetConnectAdd(action Action, addr string) error

NetConnectAdd adds the specified address pattern to the given actionlist of Net/connect sandboxing.

Returns nil on success, and an error corresponding to the negated errno on failure. The error is of type syscall.Errno.

func NetConnectDel

func NetConnectDel(action Action, addr string) error

NetConnectDel removes the first instance from the end of the given actionlist of read sandboxing.

Returns nil on success, and an error corresponding to the negated errno on failure. The error is of type syscall.Errno.

func NetConnectRem

func NetConnectRem(action Action, addr string) error

NetConnectRem removes all matching patterns from the given actionlist of Net/connect sandboxing.

Returns nil on success, and an error corresponding to the negated errno on failure. The error is of type syscall.Errno.

func NetLinkAdd

func NetLinkAdd(action Action, addr string) error

NetLinkAdd adds the specified address pattern to the given actionlist of Net/link sandboxing.

Returns nil on success, and an error corresponding to the negated errno on failure. The error is of type syscall.Errno.

func NetLinkDel

func NetLinkDel(action Action, addr string) error

NetLinkDel removes the first instance from the end of the given actionlist of read sandboxing.

Returns nil on success, and an error corresponding to the negated errno on failure. The error is of type syscall.Errno.

func NetLinkRem

func NetLinkRem(action Action, addr string) error

NetLinkRem removes all matching patterns from the given actionlist of Net/link sandboxing.

Returns nil on success, and an error corresponding to the negated errno on failure. The error is of type syscall.Errno.

func NetSendFdAdd

func NetSendFdAdd(action Action, addr string) error

NetSendFdAdd adds the specified address pattern to the given actionlist of Net/send sandboxing.

Returns nil on success, and an error corresponding to the negated errno on failure. The error is of type syscall.Errno.

func NetSendFdDel

func NetSendFdDel(action Action, addr string) error

NetSendFdDel removes the first instance from the end of the given actionlist of read sandboxing.

Returns nil on success, and an error corresponding to the negated errno on failure. The error is of type syscall.Errno.

func NetSendFdRem

func NetSendFdRem(action Action, addr string) error

NetSendFdRem removes all matching patterns from the given actionlist of Net/send sandboxing.

Returns nil on success, and an error corresponding to the negated errno on failure. The error is of type syscall.Errno.

func Panic

func Panic() error

Panic causes syd to exit immediately with code 127.

Returns nil on success, and an error corresponding to the negated errno on failure. The error is of type syscall.Errno.

func PidMax

func PidMax(size int) error

PidMax sets the syd maximum process ID limit for PID sandboxing.

The function takes an integer representing the maximum number of PIDs.

Returns nil on success, and an error corresponding to the negated errno on failure. The error is of type syscall.Errno.

func ReadAdd

func ReadAdd(action Action, glob string) error

ReadAdd adds the specified glob pattern to the given actionlist of Read sandboxing.

Returns nil on success, and an error corresponding to the negated errno on failure. The error is of type syscall.Errno.

func ReadDel

func ReadDel(action Action, glob string) error

ReadDel removes the first instance from the end of the given actionlist of read sandboxing.

Returns nil on success, and an error corresponding to the negated errno on failure. The error is of type syscall.Errno.

func ReadRem

func ReadRem(action Action, glob string) error

ReadRem removes all matching patterns from the given actionlist of Read sandboxing.

Returns nil on success, and an error corresponding to the negated errno on failure. The error is of type syscall.Errno.

func ReaddirAdd

func ReaddirAdd(action Action, glob string) error

ReaddirAdd adds the specified glob pattern to the given actionlist of Readdir sandboxing.

Returns nil on success, and an error corresponding to the negated errno on failure. The error is of type syscall.Errno.

func ReaddirDel

func ReaddirDel(action Action, glob string) error

ReaddirDel removes the first instance from the end of the given actionlist of readdir sandboxing.

Returns nil on success, and an error corresponding to the negated errno on failure. The error is of type syscall.Errno.

func ReaddirRem

func ReaddirRem(action Action, glob string) error

ReaddirRem removes all matching patterns from the given actionlist of Readdir sandboxing.

Returns nil on success, and an error corresponding to the negated errno on failure. The error is of type syscall.Errno.

func RenameAdd

func RenameAdd(action Action, glob string) error

RenameAdd adds the specified glob pattern to the given actionlist of Rename sandboxing.

Returns nil on success, and an error corresponding to the negated errno on failure. The error is of type syscall.Errno.

func RenameDel

func RenameDel(action Action, glob string) error

RenameDel removes the first instance from the end of the given actionlist of rename sandboxing.

Returns nil on success, and an error corresponding to the negated errno on failure. The error is of type syscall.Errno.

func RenameRem

func RenameRem(action Action, glob string) error

RenameRem removes all matching patterns from the given actionlist of Rename sandboxing.

Returns nil on success, and an error corresponding to the negated errno on failure. The error is of type syscall.Errno.

func Reset

func Reset() error

Reset causes syd to reset sandboxing to the default state. Allowlists, denylists and filters are going to be cleared.

Returns nil on success, and an error corresponding to the negated errno on failure. The error is of type syscall.Errno.

func SegvGuardExpiry

func SegvGuardExpiry(timeout uint64) error

Specify SegvGuard entry expiry timeout in seconds. Setting this timeout to 0 effectively disables SegvGuard.

The function takes an integer representing the timeout.

Returns nil on success, and an error corresponding to the negated errno on failure. The error is of type syscall.Errno.

func SegvGuardMaxCrashes

func SegvGuardMaxCrashes(timeout uint8) error

Specify SegvGuard max number of crashes before suspension.

The function takes an integer representing the limit.

Returns nil on success, and an error corresponding to the negated errno on failure. The error is of type syscall.Errno.

func SegvGuardSuspension

func SegvGuardSuspension(timeout uint64) error

Specify SegvGuard entry suspension timeout in seconds.

The function takes an integer representing the timeout.

Returns nil on success, and an error corresponding to the negated errno on failure. The error is of type syscall.Errno.

func StatAdd

func StatAdd(action Action, glob string) error

StatAdd adds the specified glob pattern to the given actionlist of Stat sandboxing.

Returns nil on success, and an error corresponding to the negated errno on failure. The error is of type syscall.Errno.

func StatDel

func StatDel(action Action, glob string) error

StatDel removes the first instance from the end of the given actionlist of read sandboxing.

Returns nil on success, and an error corresponding to the negated errno on failure. The error is of type syscall.Errno.

func StatRem

func StatRem(action Action, glob string) error

StatRem removes all matching patterns from the given actionlist of Stat sandboxing.

Returns nil on success, and an error corresponding to the negated errno on failure. The error is of type syscall.Errno.

func SymlinkAdd

func SymlinkAdd(action Action, glob string) error

SymlinkAdd adds the specified glob pattern to the given actionlist of Symlink sandboxing.

Returns nil on success, and an error corresponding to the negated errno on failure. The error is of type syscall.Errno.

func SymlinkDel

func SymlinkDel(action Action, glob string) error

SymlinkDel removes the first instance from the end of the given actionlist of symlink sandboxing.

Returns nil on success, and an error corresponding to the negated errno on failure. The error is of type syscall.Errno.

func SymlinkRem

func SymlinkRem(action Action, glob string) error

SymlinkRem removes all matching patterns from the given actionlist of Symlink sandboxing.

Returns nil on success, and an error corresponding to the negated errno on failure. The error is of type syscall.Errno.

func TruncateAdd

func TruncateAdd(action Action, glob string) error

TruncateAdd adds the specified glob pattern to the given actionlist of Truncate sandboxing.

Returns nil on success, and an error corresponding to the negated errno on failure. The error is of type syscall.Errno.

func TruncateDel

func TruncateDel(action Action, glob string) error

TruncateDel removes the first instance from the end of the given actionlist of truncate sandboxing.

Returns nil on success, and an error corresponding to the negated errno on failure. The error is of type syscall.Errno.

func TruncateRem

func TruncateRem(action Action, glob string) error

TruncateRem removes all matching patterns from the given actionlist of Truncate sandboxing.

Returns nil on success, and an error corresponding to the negated errno on failure. The error is of type syscall.Errno.

func UtimeAdd

func UtimeAdd(action Action, glob string) error

UtimeAdd adds the specified glob pattern to the given actionlist of Utime sandboxing.

Returns nil on success, and an error corresponding to the negated errno on failure. The error is of type syscall.Errno.

func UtimeDel

func UtimeDel(action Action, glob string) error

UtimeDel removes the first instance from the end of the given actionlist of utime sandboxing.

Returns nil on success, and an error corresponding to the negated errno on failure. The error is of type syscall.Errno.

func UtimeRem

func UtimeRem(action Action, glob string) error

UtimeRem removes all matching patterns from the given actionlist of Utime sandboxing.

Returns nil on success, and an error corresponding to the negated errno on failure. The error is of type syscall.Errno.

func WriteAdd

func WriteAdd(action Action, glob string) error

WriteAdd adds the specified glob pattern to the given actionlist of Write sandboxing.

Returns nil on success, and an error corresponding to the negated errno on failure. The error is of type syscall.Errno.

func WriteDel

func WriteDel(action Action, glob string) error

WriteDel removes the first instance from the end of the given actionlist of read sandboxing.

Returns nil on success, and an error corresponding to the negated errno on failure. The error is of type syscall.Errno.

func WriteRem

func WriteRem(action Action, glob string) error

WriteRem removes all matching patterns from the given actionlist of Write sandboxing.

Returns nil on success, and an error corresponding to the negated errno on failure. The error is of type syscall.Errno.

Types

type Action

type Action uint8

Action represents the actions for Sandboxing. 

const (
	// Allow system call.
	ActionAllow Action = iota
	// Allow system call and warn.
	ActionWarn
	// Deny system call silently.
	ActionFilter
	// Deny system call and warn.
	ActionDeny
	// Deny system call, warn and panic the current Syd thread.
	ActionPanic
	// Deny system call, warn and stop offending process.
	ActionStop
	// Deny system call, warn and abort offending process.
	ActionAbort
	// Deny system call, warn and kill offending process.
	ActionKill
	// Warn, and exit Syd immediately with deny errno as exit value.
	ActionExit
)

An enumeration of the possible actions for Sandboxing.

type CidrRule

type CidrRule struct {
	Act string  `json:"act"`
	Cap string  `json:"cap"`
	Pat Pattern `json:"pat"`
}

type FilterRule

type FilterRule struct {
	Pat string `json:"pat"`
}

type ForceRule

type ForceRule struct {
	Act string `json:"act"`
	Sha string `json:"sha"`
	Pat string `json:"pat"`
}

type GlobRule

type GlobRule struct {
	Act string `json:"act"`
	Cap string `json:"cap"`
	Pat string `json:"pat"`
}

type LockState

type LockState uint8

LockState represents the state of the sandbox lock in Go. 

const (
	// LockOff indicates that the sandbox lock is off, allowing all sandbox commands.
	// This state means there are no restrictions imposed by the sandbox.
	LockOff LockState = iota

	// LockExec indicates that the sandbox lock is on for all processes except the
	// initial process (syd exec child).
	LockExec

	// LockOn indicates that the sandbox lock is on, disallowing all sandbox commands.
	// In this state, the sandbox is in its most restrictive mode, not permitting
	// any operations that could modify its state or configuration.
	LockOn
)

An enumeration of the possible states for the sandbox lock.

type Pattern

type Pattern struct {
	Addr string      `json:"addr"`
	Port interface{} `json:"port"` // Port could be an int or a slice of ints
}

type Sandbox

type Sandbox struct {
	Flags           []string `json:"flags"`
	State           string   `json:"state"`
	Lock            string   `json:"lock"`
	Cpid            int      `json:"cpid"`
	DefaultStat     string   `json:"default_stat"`
	DefaultRead     string   `json:"default_read"`
	DefaultWrite    string   `json:"default_write"`
	DefaultExec     string   `json:"default_exec"`
	DefaultIoctl    string   `json:"default_ioctl"`
	DefaultCreate   string   `json:"default_create"`
	DefaultDelete   string   `json:"default_delete"`
	DefaultRename   string   `json:"default_rename"`
	DefaultSymlink  string   `json:"default_symlink"`
	DefaultTruncate string   `json:"default_truncate"`
	DefaultChdir    string   `json:"default_chdir"`
	DefaultReaddir  string   `json:"default_readdir"`
	DefaultMkdir    string   `json:"default_mkdir"`
	DefaultChown    string   `json:"default_chown"`
	DefaultChgrp    string   `json:"default_chgrp"`
	DefaultChmod    string   `json:"default_chmod"`
	DefaultChattr   string   `json:"default_chattr"`
	DefaultChroot   string   `json:"default_chroot"`
	DefaultUtime    string   `json:"default_utime"`
	DefaultMkdev    string   `json:"default_mkdev"`
	DefaultMkfifo   string   `json:"default_mkfifo"`
	DefaultMktemp   string   `json:"default_mktemp"`

	DefaultNetBind    string `json:"default_net_bind"`
	DefaultNetConnect string `json:"default_net_connect"`
	DefaultNetSendFd  string `json:"default_net_send_fd"`

	DefaultBlock string `json:"default_block"`

	DefaultMem string `json:"default_mem"`
	DefaultPid string `json:"default_pid"`

	DefaultForce     string `json:"default_force"`
	DefaultSegvGuard string `json:"default_segvguard"`
	DefaultTPE       string `json:"default_tpe"`

	MemMax              int64       `json:"mem_max"`
	MemVmMax            int64       `json:"mem_vm_max"`
	PidMax              int         `json:"pid_max"`
	CidrRules           []CidrRule  `json:"cidr_rules"`
	GlobRules           []GlobRule  `json:"glob_rules"`
	ForceRules          []ForceRule `json:"force_rules"`
	SegvGuardExpiry     uint64      `json:"segvguard_expiry"`
	SegvGuardSuspension uint64      `json:"segvguard_suspension"`
	SegvGuardMaxCrashes uint8       `json:"segvguard_maxcrashes"`
}

func Info

func Info() (*Sandbox, error)

Info reads the state of the syd sandbox from /dev/syd and returns it as a Sandbox struct.

If there is a failure in reading the file, the error returned is the corresponding syscall.Errno.

If there is a JSON decoding error, syscall.EINVAL is returned.